CWE-396: Declaration of Catch for Generic Exception
Declaration of Catch for Generic Exception
Weakness ID: 396 (Weakness Base)
Status: Draft
Description
Description Summary
Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.
Extended Description
Multiple catch blocks can get ugly and repetitive, but "condensing" catch blocks by catching a high-level class like Exception can obscure exceptions that deserve special treatment or that should not be caught at this point in the program. Catching an overly broad exception essentially defeats the purpose of Java's typed exceptions, and can become particularly dangerous if the program grows and begins to throw new types of exceptions. The new exception types will not receive any attention.
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Languages
C++
Java
.NET
Common Consequences
Scope
Effect
Non-Repudiation
Other
Technical Impact: Hide activities; Alter execution
logic
Demonstrative Examples
Example 1
The following code excerpt handles three types of exceptions in an
identical fashion.
(Good Code)
Example
Language: Java
try {
doExchange();
}
catch (IOException e) {
logger.error("doExchange failed", e);
}
catch (InvocationTargetException e) {
logger.error("doExchange failed", e);
}
catch (SQLException e) {
logger.error("doExchange failed", e);
}
At first blush, it may seem preferable to deal with these exceptions
in a single catch block, as follows:
(Bad Code)
try {
doExchange();
}
catch (Exception e) {
logger.error("doExchange failed", e);
}
However, if doExchange() is modified to throw a new type of exception
that should be handled in some different kind of way, the broad catch
block will prevent the compiler from pointing out the situation.
Further, the new catch block will now also handle exceptions derived
from RuntimeException such as ClassCastException, and
NullPointerException, which is not the programmer's intent.
Description
